Though the number of COVID-19-themed scams has exploded since the start of this year, infosec outfit Secureworks reckons that overall online criminality has remained fairly steady.
Plenty of other infosec companies have been keen to talk about the rise in coronavirus-themed scams and phishing, but Secureworks rather broke the mold when it declared earlier this month that it hadn't seen a general increase in online badness.
Don Smith, the firm's senior director of cyber intelligence, told The Register: "The threat level is pretty much constant but the actors have significantly shifted their focus, their lures and their phishes to almost exclusive focus on COVID-19," adding: "But that's just the same lures and phishes that would have been coming out with a different subject matter four months ago."
Since the coronavirus pandemic spread from a local problem in China to become a global threat, governments and companies alike have warned of an explosion in COVID-19-themed spam. GCHQ offshoot the National Cyber Security Centre declared earlier this month that it had taken down a number of web domains which it said had been linked to coronavirus-related malware hosting, botnet command-'n'-control servers and the like.
All of this, said Secureworks, is proof that malicious people have poured most of their cybercrime resources into the lure du jour currently grabbing the world's attention, rather than spinning up a vastly increased set of capabilities right as countries entered lockdown.
Less tax, more theft
Mike McLellan, a Secureworks researcher, commented that the firm "normally sees spikes around tax season, spikes in HMRC scams and suchlike", something that had been much less in evidence this year.
"Because of the global appeal of COVID-19 and the longevity of it, everyone's kind of converged on the same theme at the same time," he said. "Given the appearance of a huge spike in activity, there's more of a coalition of actors all using the same kind of thing to trick people."
Nonetheless, there is still background state-sponsored and other cybercrime activity still going on. When El Reg asked about the level of background activity, Secureworks pointed to a recent blog post setting out in more detail what it's seen since January.
McLellan explained: "All the botnets we track have been consistently active, apart from Emotet – that came back online recently but that was due to retooling rather than anything else... Hostile state actors aside, possibly there was a slight dip around January to February [in phishing and common-or-garden malware threats], as much related to COVID-19 being an issue in [the creators'] countries rather than anything else."
Cat's away, mice will play
One particular instance was with a Trickbot campaign that Secureworks spotted spreading in Italy in early March – at the same time that a very real-world virus was spreading. McLellan said that 10 days after the Italian government initiated nationwide lockdown, "we saw banks being added to webinject configurations for Trickbot. That looks to us like Trickbot operators decided Italy might be a good country to go after, especially Italian banks. I'm speculating here but potentially more people are going to be at home; online banking is going to be more important in that scenario."
Tempering the company's counter-FUD position, Smith was keen to stress that "we're not being complacent here, we're not siting here chuckling and saying 'let's move along.' We're initially assessing if there is any elevated risk."
The idea that overall malware threats have not increased despite the huge surge in virus-themed lures over the past few months will comfort some. With the British state and the infosec industry alike keen to share simple and effective infosec advice to the general public, perhaps this might become a golden era for cybersecurity education – and the avoidance of FUD. ®